diff options
author | aszlig <aszlig@nix.build> | 2019-01-04 01:49:50 +0100 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2019-01-04 01:49:50 +0100 |
commit | 751bdacc9b726bf8e4623a7375e96563ee3614a5 (patch) | |
tree | c01877b976832941083d508e86d52f7b37c1917d /nixos/modules/services/networking/nsd.nix | |
parent | e753bc125f23225b1fb26ab7f4819d273bf2ed49 (diff) | |
download | nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.gz nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.bz2 nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.lz nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.xz nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.zst nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.zip |
nixos/nsd: Don't override bind via nixpkgs.config
When generating values for the services.nsd.zones attribute using values from pkgs, we'll run into an infinite recursion because the nsd module has a condition on the top-level definition of nixpkgs.config. While it would work to push the definition a few levels down, it will still only work if we don't use bind tools for generating zones. As far as I could see, Python support for BIND seems to be only needed for the dnssec-* tools, so instead of using nixpkgs.config, we now directly override pkgs.bind instead of globally in nixpkgs. To illustrate the problem with a small test case, instantiating the following Nix expression from the nixpkgs source root will cause the mentioned infinite recursion: (import ./nixos { configuration = { lib, pkgs, ... }: { services.nsd.enable = true; services.nsd.zones = import (pkgs.writeText "foo.nix" '' { "foo.".data = "xyz"; "foo.".dnssec = true; } ''); }; }).vm With this change, generating zones via import-from-derivation is now possible again. Signed-off-by: aszlig <aszlig@nix.build> Cc: @pngwjpgh
Diffstat (limited to 'nixos/modules/services/networking/nsd.nix')
-rw-r--r-- | nixos/modules/services/networking/nsd.nix | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index cde47bf23ea..492845eb4ec 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -437,6 +437,8 @@ let dnssec = length (attrNames dnssecZones) != 0; + dnssecTools = pkgs.bind.override { enablePython = true; }; + signZones = optionalString dnssec '' mkdir -p ${stateDir}/dnssec chown ${username}:${username} ${stateDir}/dnssec @@ -445,8 +447,8 @@ let ${concatStrings (mapAttrsToList signZone dnssecZones)} ''; signZone = name: zone: '' - ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} - ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${dnssecTools}/bin/dnssec-keymgr -g ${dnssecTools}/bin/dnssec-keygen -s ${dnssecTools}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${dnssecTools}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} ''; policyFile = name: policy: pkgs.writeText "${name}.policy" '' @@ -953,10 +955,6 @@ in ''; }; - nixpkgs.config = mkIf dnssec { - bind.enablePython = true; - }; - systemd.timers."nsd-dnssec" = mkIf dnssec { description = "Automatic DNSSEC key rollover"; |